CVE-2025-62783: 
Java vulnerability analysis and mitigation

InventoryGui, a library for creating chest GUIs for Bukkit/Spigot plugins, was found to contain a vulnerability (CVE-2025-62783) in versions 1.6.1-SNAPSHOT and earlier. The vulnerability was discovered on October 27, 2025, where any plugin using the GuiStorageElement could allow item duplication when the experimental Bundle item feature is enabled on the server (NVD, GitHub Advisory).

The vulnerability stems from a NullPointerException that occurs during double-click interactions with items placed in multiple slots. The issue is specifically located in the simulateCollectToCursor method of the InventoryGui.java file, where the original implementation failed to correctly associate inventory updates with the specific player performing the action. This created a race condition that could be exploited to duplicate items. The vulnerability has a CVSS v3.1 Base Score of 5.0 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N (Miggo, GitHub Advisory).

The vulnerability affects any plugin utilizing the GuiStorageElement component, potentially allowing players to duplicate items within the game inventory when specific conditions are met. This could lead to economic imbalances in game environments where item duplication could be exploited (GitHub Advisory).

The vulnerability has been patched in version 1.6.2-SNAPSHOT. Server administrators are advised to update to this version to ensure protection against the item duplication exploit. For those unable to update immediately, a temporary workaround is to avoid using the GuiStorageElement in GUIs. The fix was implemented through commit 27a52ef, which has been backported to 1.6.1-SNAPSHOT (GitHub Advisory).